From: Guido Trentalancia <guido@trentalancia.com>
Date: Wed, 28 Aug 2024 09:35:19 +0000 (+0200)
Subject: selinux: mark both IPv4 and IPv6 accepted connection sockets as labeled
X-Git-Tag: v6.12-rc1~199^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a3422eb4facdebb685b9b4688feb60430450e3c9;p=thirdparty%2Flinux.git

selinux: mark both IPv4 and IPv6 accepted connection sockets as labeled

The current partial labeling was introduced in 389fb800ac8b ("netlabel:
Label incoming TCP connections correctly in SELinux") due to the fact
that IPv6 labeling was not supported yet at the time.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
[PM: properly format the referenced commit ID, adjust subject]
Signed-off-by: Paul Moore <paul@paul-moore.com>
---

diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 63c481dd71bb6..5ad2fd68abbf1 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -359,7 +359,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
 {
 	struct sk_security_struct *sksec = sk->sk_security;
 
-	if (family == PF_INET)
+	if (family == PF_INET || family == PF_INET6)
 		sksec->nlbl_state = NLBL_LABELED;
 	else
 		sksec->nlbl_state = NLBL_UNSET;